Snowe: Cybersecurity coordinator lacks accountability

Committee heard from former federal cybersecurity officials and other experts who sounded alarm bells.

A senior Republican on the Senate Commerce Committee criticized the Obama administration Tuesday for appointing a cybersecurity coordinator who cannot testify before Congress.

The committee heard from former federal cybersecurity officials and other experts who sounded alarm bells that the nation is failing to mount an effective defense against attacks on critical infrastructure networks, such as those in the nation's financial industry, telecommunications system and electrical grid.

"If the nation went to war today in a cyber war, we would lose," said retired Adm. Michael McConnell, who served as director of national intelligence in the Bush administration. "We're the most vulnerable. We're the most connected. We have the most to lose."

Sen. Olympia Snowe, R-Maine, noted that absent from the hearing was Howard Schmidt, who President Obama appointed in December as the nation's first cybersecurity coordinator.

"In his position, he's a member of the National Security Council and cannot testify," Snowe said in an interview after the hearing. "Given the significance of this issue ... it really needs to rise to a different level."

Tensions between lawmakers and the White House over how best to address cybersecurity vulnerabilities comes at a time when the networks of government and private companies are under increasingly sophisticated cyber attacks, according to security experts.

Given the serious nature of cybersecurity, Snowe said, it is unacceptable to have a senior administration official who is not accountable to Congress and meets behind closed doors.

Snowe and Senate Commerce Chairman John (Jay) Rockefeller have been working for a year on comprehensive cybersecurity legislation, which includes the creation of a Cabinet-level, Senate-confirmed cyber adviser who would report directly to the president.

They are now on their fourth iteration of the bill but do not have a timeline for marking it up in their committee. "We'd like to get something done this year," Snowe added. "Is it possible? It remains to be seen."

During the hearing, McConnell said it will likely take a "catastrophic" cyber attack to change how the government and private companies protect critical information networks.

McConnell and James Lewis, senior fellow at the Center for Strategic and International Studies, said federal mandates will likely be needed to force private companies to become more secure.

"Industry is not going to embrace this unless they are forced to do it," McConnell said.

But Scott Borg, director of the nonprofit research group U.S. Cyber Consequences Unit, cautioned against strict federal mandates. Instead, he said, the government can help private companies function better, such as by offering incentives to better secure their networks and sharing threat information with them.

"If the government tries to mandate standards, they will be out of date -- and an actual impediment to better security -- before they can be applied," Borg said in his written testimony.

"If there is any area of the American economy that needs creative, entrepreneurial problem solving, it is therefore cyber security," he added. "Yet our markets are not currently delivering improvements in cybersecurity at anything like the necessary rate."